On Thu, 2008-03-13 at 12:04 -0700, David Wagner wrote:
> Toby Murray writes:
> >In the attack, the unsealer is being passed an object that has the
> >authority to cause the box to divulge its contents. Hence, one might
> >argue that the unsealer is being passed an object that is analogous to a
> >proxy for the box and, hence, the attack might be viewed as valid
> >behaviour in some cases.
>> I'd say: This is an accurate description of the actual behavior of this
> sealer/unsealer implementation, but it's not the desired or intended or
> specified behavior for a sealer/unsealer. If Viktor is relying upon
> this Brand to behave like a brand ought to, then his security goals
> can be violated.
Could you expand on "like a brand ought to". Better yet, can we agree on
a (formal) definition of the intended behaviour of a brand?
Should the unsealer be able to unseal a transparent forwarder for a box?
What about a revocable forwarder?
If we can't unseal proxies to boxes, we can't pass boxes through
membranes.
We appear to be getting into the realms of having to answer the question
"At what point is a proxy not a proxy?" This seems problematic.
I would argue (ironically enough, informally) that the code for the
brand should be fixed by ensuring that the unsealer sets both squirrer
and flag to null/false before returning. Then one can unseal proxies to
boxes, but your attack is still prevented.
I am uncomfortable, however, that the definition of "correct behaviour"
here seems rather fuzzy.